From 4c5f3525d5649dd3a6480d30e261172b34beb82f Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 20 Mar 2018 09:26:29 -0400
Subject: [PATCH] Suricata Module - Add raw rule to the alert

---
 salt/suricata/files/suricata.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml
index c9aca9df6..847acb5ee 100644
--- a/salt/suricata/files/suricata.yaml
+++ b/salt/suricata/files/suricata.yaml
@@ -117,8 +117,13 @@ outputs:
             # packet: yes              # enable dumping of packet (without stream segments)
             # http-body: yes           # enable dumping of http body in Base64
             # http-body-printable: yes # enable dumping of http body in printable format
-            metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
-
+            metadata:
+              app-layer: true
+              flow: true
+              rule:
+                metadata: true
+                raw: true
+                
             # Enable the logging of tagged packets for rules using the
             # "tag" keyword.
             tagged-packets: no